The Investigatory Powers Bill and Online Privacy


The Investigatory Powers Bill (IPB) has been approved by the UK Parliament and will come in force in 2017.

We decided to do a deeper analysis of this law, since it potentially impacts a large number of ProtonMail users. According to our 2016 Encrypted Email User Survey, the UK accounts for the third largest group of ProtonMail users after the US and Russia. It came as a surprise to us that the law passed with such little fanfare, so we feel it is necessary to draw attention to what is quite possibly the worst surveillance law to have been passed so far in a Western democracy.

At ProtonMail, advocacy is a large part of what we do, and whether it’s fighting surveillance laws in Switzerland, working with the ACLU in the United States, or supporting investigative journalists in Asia, our mission is to ensure that the rights to privacy and freedom of speech, both critically important for democracy, remain protected. Simultaneously, we are employing our technology to provide individuals and organizations better protection against growing cyberthreats.

Developing end-to-end encryption technology like that used in ProtonMail is just one part of the battle. Just as important are the advocacy activities of educating politicians, journalists, and ultimately the youth who make up the next generation of leaders. To support this mission, ProtonMail works with lawyers both in-house and from outside human rights organizations, and a non-trivial part of our revenue goes towards supporting such efforts. With our legal team, we have created a short summary of the most relevant points of the IPB.

What is the Investigatory Powers Bill?

The IPB is a new Act of Parliament that gives broad new powers to UK intelligence agencies (GCHQ, MI5) and law enforcement. The key powers are:

1. Retention of Internet browsing records for 1 year

This is in our opinion the worst part of the law. Imagine your browsing history for the entire past year accessible to the government or police without a warrant. This would allow the construction of detailed profiles on every citizen, and categorization based on political views, personal beliefs, and much more.

All UK communication service providers (so Internet providers, phone companies, email providers, etc), will be required to retain 1 year of your internet connection records in a central database. This database includes what sites you visited, when you visited the site, for how long, who you called, who you emailed, etc. All of this data will be stored in a central database accessible to the government and law enforcement. More troubling is that no warrant or judicial oversight is required to gain access to this database, the police will have sole discretion to decide when they need to access this database.

2. Bulk collection of communications data

British communications providers will be required by law to assist in intercepting communications data in relation to an investigation. So far, foreign companies are not required to comply, but as we will discuss below, there are some caveats to this.

3. Breaking Encryption

Communication providers will be mandated by law to remove encryption whenever it is “practical”. The law is particularly dangerous because it doesn’t well define what is the meaning of “practical”, which means this can be subject to the government’s interpretation.

4. Enforcement of gag orders

When a communications provider receives a request for data, it is not permitted to reveal that the request took place. Under IPB, it is now a criminal offense for either the communications provider, or somebody working for the provider, to reveal a data request. Thus, if the powers of the IPB are abused, a whistleblower would be committing a criminal offense by revealing the abuse.

I don’t use a UK based communications provider, am I safe?

In theory, the IPB only applies to UK companies, but today with the rise of large multinational tech companies, even non-UK companies can be pressured to comply if they have a significant UK presence and employees in the UK. Since any such requests will happen behind the scenes, we will never know if foreign companies do comply with the IPB. Since the UK is a member of the Five Eyes network, along with the USA, Canada, Australia, and New Zealand, the intelligence scooped up by the IPB will also be shared with US intelligence so UK residents could find their private data being shared beyond UK borders.

Is ProtonMail still safe? How do I protect myself?

As a Swiss company, ProtonMail does not fall under the jurisdiction of the IPB. We believe that strong encryption isn’t just important for privacy, but also key to providing security in the digital age, and we will continue to advocate this position to governments and business leaders. If you would like to support our advocacy efforts, upgrading to a paid ProtonMail account is a great way to do so.

Bills like the IPB pose an unprecedented threat to democracy, and are strikingly similar to surveillance laws from totalitarian states. Fortunately, there are tools today that can help protect our digital rights. Getting a ProtonMail encrypted email account can protect your email communications from being intercepted or read by government agencies. The rest of your online activities can also be protected. In particular, we recommend using VPN services that don’t have a physical presence in the UK (like free vpn service ProtonVPN), and also using apps like Signal for text messaging, or Tresorit for file sharing. Most importantly, we have to spread the word that more surveillance and less encryption isn’t the solution to today’s security challenges.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

ProtonMail is supported by community contributions. We don’t serve ads or abuse your privacy. You can support our mission by upgrading to a paid plan or donating.

The banner image of this blog post is provided under a free, unrestricted use, license

About the Author

Proton Team

Proton was founded by scientists who met at CERN and had the idea that an internet where privacy is the default is essential to preserving freedom. Our team of developers, engineers, and designers from all over the world is working to provide you with secure ways to be in control of your online data.


Comments are closed.

25 comments on “The Investigatory Powers Bill and Online Privacy

  • Will Protonmail stay in Switzerland ? The new Swiss surveillance law (BÜPF) requires all email providers to store metadata…

      • Your article talks about the NDG law. The NDG has little impact, agreed. But I’m talking about the BUPF law, which requires email providers based in Switzerland to store all metadata for 6 months.

        • This has always been the case actually. Metadata is something that cannot be encrypted (because we need to know who to deliver the mail to), and even in the past, it could always be requested by law enforcement if there is a valid Swiss court order in cases of criminal conduct. This is something quite different from the warrant-less access that is granted by the UK Investigatory Powers Bill, as the criminal conduct must be proven to a judge before metadata can be accessed.

          • Was my previous response “lost” somehow? I said the new BUPF law requires email providers based in Switzerland to store IP data, payment data and possibly even account holder data for at least 6 months, and hand it over to police or secret service if requested to do so.

          • We have discussed this with the Swiss government and the interpretation of the law that will be used will see it only applied to large ISPs.

  • I highly suggest people look into VPNs, if you haven’t already.

    When using Protonmail I always make sure the exit node is located in Switzerland – it’s best to connect directly to the country of which the end server you’re trying to connect to is located in so that your unencrypted traffic passes through as few countries/jurisdictions as possible.

    I myself have begun looking into how to use VPNs within VPNs and may even begin using Tails Linux or Qubes along with Tor and hardware-encrypted drives like the IronKey/DataLocker ones on top of all that.

    Things are getting weird and I don’t think there’s any such thing as being too paranoid anymore.

    Hey ProtonMail – try making an actual (open source, of course) client so that people don’t even need a browser to access their mail. It’s more secure to do it that way. I suppose you won’t even need JavaScript for people who use such an application, correct? You could use straight-up PGP instead of PGPjs, moving away from JavaScript, correct? Hoping it’s coming soon!

    • The thing about VPNs, that is often overlooked or not mentioned, is that the technology is not designed for privacy; it is meant for extending local networks over the Internet. You have to trust that network as much as your own. If not, you are basically just relocating the problem to a different jurisdiction, hoping that this will resolve the issues you are trying to avoid. Whether your communication is treated in a confidential manner, is a matter of policy only and it depends upon the VPN provider. Not all providers promise this or hold themselves to that promise. There is always the danger that a VPN provider may work against you.

      Firms like Opera ignore this danger and think they are doing the world a service by providing a ‘free’ VPN service, baked into the Opera browser. VPNs are inherently dangerous for that purpose and their usage should be considered carefully. I would only use them if I have utmost trust in the provider (or am really distrustful of my ISP) and only for specific purposes.

          • I think I know the solution : ProtonVPN ;-). I know you guys are very busy but if it would be created, I’m the first to switch and leave my current VPN-provider. And I’d like to pay for it of course! So dear PM-ers, is there still some space on your to-do-list? Sounds good : ProtonVPN. Don’t you agree?

      • VPNs also don’t anonymise activity. Even that last sentence could be used to narrow down where I’m from, I used an ‘s’ in anonymise instead of a ‘z’, so I’m probably not American (I might be lying). More important than changing your presented IP address is changing your internet behaviour. I have dummy social media and email accounts for anything I say publicly and I don’t use VPNs for those (changing IP addresses frequently is a big neon red flag).
        I saw a Firefox “hardening” guide a few months back that actually recommended disabling the Do-Not-Track flag, because most places ignore it anyway. But almost all browsers enable it by default, so disabling it (it’s literally changing a 1 to a 0) makes your browser fingerprint more identifiable.
        Use a clean browser (if needs be in a virtual machine) that doesn’t allow trackers/cookies/plugins/addons, exclusively for sites that you don’t have to use an account for (as soon as you sign in with the same information, you can be tracked). Opera and Epic Privacy Browser are good examples, with Opera not reliant on Chrome or Firefox for its architecture (Tor has lots of Firefox’s issues), while Epic has a built in proxy manager (soft VPN) and a hard ban on addons and plugins.

  • I understand Protonmail has operations in the US and sizable VC investments… Not sure to be 100% confident of what would happen about the NSA knocking on your doorstep on behalf of the GCHQ.

    But to a certain extent I think it is pretty much academic – if Protonmail is as good as you claim (and I’m fairly convinced it is) I’m very much convinced that your are a top target both for “interception” and planting some operatives as mules. Might sound paranoiac but I have seen it first hand. I don’t expect you to share whatever procedures you follow to contain that but I certainly hope you have a very close look to any hardware coming in and have a very thight source control…

  • Less encryption and more surveillance means that a business plan is deploying at a large scale without any restriction.
    Encryption like privacy or in short , a right does not exist in a rogue state which paris (fr) …
    E.u does not accept any right for any person who are not working in their office.
    The arab revolutionary army lives as guest in a lot of place and uses tools/cars like every body.
    *Collecting data is a machine routine and non-professional -which bad isp provider- abuse … these uk laws are nothing less that an informal alignment …

  • Will Protonmail ever be able to implement “voip” so we can go through Protonmail using computer as a phone?

    • pCloud policy : Data Centers
      pCloud hosts user data through a leading certified data center via collocation. When using the pCloud service user’s data is transferred to our outsourced servers -located in swizerland e.g.- via TLS/SSL protocol and is copied on at least three server locations in a highly secure certified data center in Dallas, Texas, USA.

  • i’m very like protonmail.only one small question,could you add “wechat” into share link?as you know,most of chinese are using wechat,and we cant use google/facebook/twitter in china because of “the great wall”.so i think if you add “wechat” into share link,i and other chinese user can share these good news to our friends.
    i hope not trouble you,thanks!

      • yeah,i’m very happy you can read it.and if it possible,can we creat an irc channel to suppose?or we can talk anything about protonmail on irc.

          • ok,reddit is a good place,though less people use it in China.if you like,welcome to ##g,freenode,it’s my channel,to disscuss anything!and at the end of this year,protonmail is not the end :) HAPPY NEW YEAR!